Home page logo
/

webappsec logo WebApp Sec mailing list archives

Re: SSL 2.0 enabled or disabled?
From: Ralf Durkee <rd () rd1 net>
Date: Wed, 19 May 2004 20:55:17 -0400

At 05:22 PM 5/19/2004 -0400, Blane Perry wrote:
Does anyone know of a tool that can scan a web server to determine which
version of SSL is being used?  nmap?  nessus?

Nessus will report the SSL versions.

-- Ralf Durkee, CISSP, GSEC, GCIH
Principal Consultant
http://rd1.net




>>> Ralf Durkee <rd () rd1 net> 05/19/04 05:51AM >>>
At 07:13 PM 5/18/2004 -0700, Ooper Starr wrote:
>>Given all the vulnerabilities with SSL 2.0, do most people disable
SSL 2.0
>>on their servers or are there concerns of potential loss of consumers
that
>>may only have clients that support 2.0 who use the application?  IE's

>>defaults are SSL 2.0 & 3.0 enabled and TLS 1.0 disabled.  Any good
papers
>>about this topic?
>>____________________________________________________________

>As you suggest SSLv2 should be disabled as it is vulnerable. It can be

>disabled without concern for loss of customers. I have been requiring
or
>recommending (depending on my role) disabling SSLv2 for several years,
at
>least since late 2000, as all of the browsers support sslv3 or better.
I've
>always found it curious that IE disables TLSv3 by default, I suspect
the MS
>decision maker just didn't know what TLS was. Most of the servers I
have
>reviewed or audited for the first time, do not disable SSLv2 at least
until
>after the first review.  I also recommend disabling SSLv2 on the
client
>browser and enabling SSLv3 and TLSv1. I have only found 2 web servers
since
>2000 that didn't support SSLv3 or TLSv1.  Although when IE encounters
a
>server that doesn't support it's required versions, it will just sit
there
>and "spin" when it can't complete the handshake, there's no error
message
>given.

-- Ralf Durkee, CISSP, GSEC, GCIH
Principal Consultant
http://rd1.net


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault